b'                     Reviews to Determine Architectural\n                   Compliance of Information Technology\n                    Acquisitions Need to Be Consistently\n                        Performed and Documented\n\n                                  November 2003\n\n                       Reference Number: 2004-20-017\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                              DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                    November 28, 2003\n\n\n       MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n\n       FROM:                         Gordon C. Milbourn III\n                                     Acting Deputy Inspector General for Audit\n\n       SUBJECT:                      Final Audit Report - Reviews to Determine Architectural\n                                     Compliance of Information Technology Acquisitions Need to Be\n                                     Consistently Performed and Documented (Audit # 200320014)\n\n\n       This report presents the results of our review of the compliance of hardware and\n       software procurements for non-Business Systems Modernization (non-BSM) systems\n       with the Enterprise Architecture (EA).1 Our review evaluated selected Tier I\n       (e.g., mainframe), Tier II (e.g., mid-range), and Tier III (e.g., end-user computers)\n       procurement requisitions for compliance with the IRS\xe2\x80\x99 EA.\n       In summary, the IRS has issued interim procedures to promote compliance with its EA.2\n       These procedures require that the respective Tier Owners3 within the Modernization and\n       Information Technology Services organization perform a Tier Review4 to ensure that\n       acquisition requests comply with the IRS\xe2\x80\x99 EA. However, the procedures called for in\n       IRS policy guidance are not consistently being followed and, as a result, potentially limit\n       the IRS\xe2\x80\x99 ability to ensure that the hardware and software purchases are consistent with\n\n\n\n\n       1\n         The EA defines the Internal Revenue Service\xe2\x80\x99s (IRS) target business practices, the systems that enable the target\n       business practices, and the technology that will support it, and serves as a guide to the IRS\xe2\x80\x99 Modernization Program\n       and investment decisions.\n       2\n         Chief Information Officer Memorandum dated November 14, 2001; Subject: Update to Delegation Order\n       Number 28, Approval of Information Technology Resources. Guidance for satisfying requirements outlined in\n       Delegation Order Number 28 are provided in Interim Internal Revenue Manual (IRM) 2.21 \xe2\x80\x93 Part 1 of the\n       Acquisition Life Cycle: MITS Responsibilities, issued November 14, 2001, and effective February 4, 2002. Interim\n       IRM 2.21 was reauthorized in March 2003.\n       3\n         The Tier Owner is the official in charge of the Tier Review.\n       4\n         A Tier Review is to be performed for each information technology requisition to assure it complies with the IRS\xe2\x80\x99\n       EA requirements.\n\x0c                                                         2\n\n\nits current and projected EA. The IRS uses the Request Tracking System (RTS)5 to\ninitiate procurement requisitions and document Tier Reviews. Of the 651 procurement\nrequisitions we reviewed on the RTS, 233 showed no indication of a Tier Review.\nWithin these 233 requisitions, we identified 92 procurements totaling $1.1 million that\nwere indicated on the RTS as being Ad Hoc requisitions.6 None of the Ad Hoc\nrequisitions had an indication of a Tier Review, and some of these requisitions explicitly\nindicated that a Tier Review was not required. However, we were unable to obtain\nwritten procedures that indicated Ad Hoc requisitions were exempt from the Tier Review\nprocess. Having an Ad Hoc process that bypasses a Tier Review increases the risk of\npurchasing equipment that is not compliant with the IRS\xe2\x80\x99 EA.\nIn our review of a judgmental sample of hardcopy files for 54 of the 651 procurement\nrequisitions,7 42 of the 54 sampled items showed no evidence that a Tier Review was\nperformed. Since there was no evidence of a Tier Review being performed on these\n42 purchases totaling $30.6 million, the IRS increases the risk of obtaining incompatible\ninformation technology (IT) hardware and software that could necessitate additional\npurchases to provide EA compliance and increases the potential for inefficient use of\nresources.\nFurthermore, hardcopy requisition files did not always provide evidence to corroborate\nRTS data of a Tier Review. In many instances, we were unable to validate whether IT\npurchases were compliant. These conditions occurred because Tier Owners did not\nhave complete lists of approved products readily available to facilitate Tier Reviews. In\naddition, we noted that some IRS personnel were unfamiliar with IRS policy and\nprocedures to appropriately document Tier Reviews and ensure that designated\npersonnel conduct the Tier Reviews.\nWe recommended that the Chief Information Officer (CIO) ensure Tier Reviews are\nperformed, documented, and periodically reviewed for compliance with required\nprocedures. We also recommended that the CIO ensure Tier Owners develop complete\nand readily available approved products lists to assist in the completion of Tier Reviews\nto be performed on all non-BSM IT procurement requisitions.\nManagement\xe2\x80\x99s Response: IRS management agreed with the recommendations\npresented. The Enterprise Operations organization has measures in place that will\nensure all requisitions are reviewed for completeness and are in compliance with the\nIRS\xe2\x80\x99 EA, Delegation Order Number 28, and are Section 508 compliant. Requisitions will\nnot be forwarded for approval until all reviews (to include Tier I and II acquisitions) are\n\n5\n  The RTS provides functions throughout the acquisition process that include creation, routing, and approval of\nrequisitions for goods and services; electronic receipt and acceptance; and enhanced document attachment\ncapability. All procurement requisitions using budget funds from Fiscal Year 1999 and later should be entered in\nthe RTS.\n6\n  For Tier III, purchases of desktops and laptops are managed directly by the Tier Owner, with limited, documented\nexceptions. Accordingly, in the event an Ad Hoc request for the purchase of a desktop or laptop arises, the\nAcquisition Point of Contact should contact and transfer the request to the Tier III Point of Contact to manage the\nacquisition, including all certifications and reviews.\n7\n  See Appendix I for a description of our judgmental sampling methodology.\n\x0c                                            3\n\n\nconducted. The Enterprise Operations organization has issued guidelines requiring that\ncomplete products lists for Tier I and Tier II acquisitions accompany the requisition.\nThese lists will be available during Tier I and Tier II Reviews and will become a part of\nthe acquisition file documentation.\nThe End User Equipment and Services (EUES) organization will develop and implement\na procedure ensuring that Tier reviews for Tier III hardware and software purchases are\nconducted, documented, and periodically reviewed for compliance with required\nprocedures for all non-BSM IT acquisitions. The procedure will be coordinated with the\nProcurement organization to ensure purchases are not made without receiving Tier III\napproval. The EUES organization has established a product list for customer review for\nTier III acquisitions. Efforts are being put in place to make it readily available for\ncustomer review. The list will be made available during Tier III Reviews and will\nbecome a part of the acquisition file documentation.\nThe Enterprise Networks organization adheres to policy and procedures as listed in\nDelegation Order Number 28 and Internal Revenue Manual 2.21. It has developed an\nadditional set of procedures for internal use to ensure that the appropriate reviews and\napprovals for Tier IV acquisitions are achieved. As a standard procedure, it will\ncontinue to review all Tier IV requisitions for compliance prior to approval. The\nEnterprise Network organization\xe2\x80\x99s procurements are mostly governed by centralized\ncontracts that have specific products and services approved for compliance with the EA.\nManagement officials and reviewers of Tier IV procurements approve only those\nproducts and services that are compliant through the specific contract. Management\xe2\x80\x99s\ncomplete response to the draft report is included as Appendix V.\nCopies of this report are also being sent to the IRS managers who are affected by the\nreport recommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c         Reviews to Determine Architectural Compliance of Information Technology\n             Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                 Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Internal Revenue Service Has Limited Assurance That Non-Business\nSystems Modernization Information Technology Procurements Are in\nCompliance With the Projected Enterprise Architecture ........................... Page 2\n         Recommendation 1: ........................................................... Page 8\n         Recommendation 2: ........................................................... Page 9\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ....................... Page 10\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 13\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 14\nAppendix IV \xe2\x80\x93 Outcome Measures ............................................................ Page 15\nAppendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 17\n\x0c       Reviews to Determine Architectural Compliance of Information Technology\n           Acquisitions Need to Be Consistently Performed and Documented\n\n                                One of the major strategies contained in the Fiscal\nBackground\n                                Year (FY) 2000-2005 Internal Revenue Service (IRS)\n                                Strategic Plan is to improve property stewardship and asset\n                                management compliance with the IRS\xe2\x80\x99 Enterprise\n                                Architecture (EA). The EA defines the IRS\xe2\x80\x99 target business\n                                practices, the systems that enable these practices, and the\n                                technology that will support the EA. It also serves as a\n                                guide to the IRS\xe2\x80\x99 Modernization Program and investment\n                                decisions.\n                                In November 2001, the IRS Chief Information Officer\n                                (CIO) issued Delegation Order Number 28, which became\n                                effective in February 2002. This Delegation Order stated\n                                that the Modernization, Information Technology, and\n                                Security Services executives have been delegated signature\n                                authority and ultimate responsibility for approving\n                                information technology (IT) goods and services.1 Since this\n                                Delegation Order was issued, over $566 million in\n                                procurements have been made using this delegated signature\n                                authority. This includes IT hardware and software\n                                procurements for non-Business Systems Modernization\n                                (BSM) Tier I (e.g., mainframe), Tier II (e.g., mid-range),\n                                and Tier III (e.g., end-user computers) systems.\n                                Audit work was conducted in the Modernization,\n                                Information Technology, and Security Services organization\n                                at IRS Headquarters in New Carrollton, Maryland, from\n                                May to July 2003. Subsequent to our field work the\n                                Modernization, Information Technology, and Security\n                                Services organization was reorganized and renamed the\n                                Modernization and Information Technology Services\n                                (MITS) organization. The audit was conducted in\n                                accordance with Government Auditing Standards. Detailed\n                                information on our audit objective, scope, and methodology\n                                is presented in Appendix I. Major contributors to the report\n                                are listed in Appendix II.\n\n                                1\n                                  CIO Memorandum dated November 14, 2001; Subject: Update to\n                                Delegation Order Number 28, Approval of Information Technology\n                                Resources. Guidance for satisfying requirements outlined in Delegation\n                                Order Number 28 are provided in Interim Internal Revenue Manual\n                                (IRM) 2.21 \xe2\x80\x93 Part 1 of the Acquisition Life Cycle: MITS\n                                Responsibilities, issued November 14, 2001, and effective\n                                February 4, 2002. Interim IRM 2.21 was reauthorized in March 2003.\n                                                                                               Page 1\n\x0c         Reviews to Determine Architectural Compliance of Information Technology\n             Acquisitions Need to Be Consistently Performed and Documented\n\n                                  The Office of Management and Budget (OMB)\nThe Internal Revenue Service\n                                  Circular A-130, Management of Federal Information\nHas Limited Assurance That\n                                  Resources, dated November 28, 2000, requires agencies to\nNon-Business Systems\n                                  use or create an EA. Furthermore, the head of each Federal\nModernization Information\n                                  agency is required to effectively and efficiently manage\nTechnology Procurements Are in\n                                  agency information and IT, and develop policies and\nCompliance With the Projected\n                                  procedures that provide for timely acquisition of required\nEnterprise Architecture\n                                  IT. The agency\xe2\x80\x99s capital planning and investment control\n                                  process must build from the agency\xe2\x80\x99s current EA and its\n                                  transition from current architecture to target architecture.\n                                  Guidance derived from OMB Circular A-11, Planning,\n                                  Budgeting, Acquisition, and Management of Capital Assets,\n                                  dated June 2002, further indicates that Federal agency\n                                  managers and staff involved in IT planning and investment\n                                  decision making assess IT initiatives in terms of their costs,\n                                  risks, and expected returns.\n                                  The IRS\xe2\x80\x99 Interim Internal Revenue Manual (IRM) 2.21,\n                                  Part 1 of the Acquisition Life Cycle: MITS Responsibilities,\n                                  issued November 14, 2001, and effective February 4, 2002,\n                                  states that executives with signature authority are fully\n                                  responsible for each requisition they approve, regardless of\n                                  the cost. The Acquisition Life Cycle describes the\n                                  cradle-to-grave processes surrounding an acquisition,\n                                  beginning with identifying a business requirement, refining\n                                  the business requirement into a technical requirement,\n                                  obtaining all reviews and concurrences necessary to prepare\n                                  a requisition, procuring the acquisition, and managing the\n                                  work related to maintaining and supporting an acquisition,\n                                  such as upgrades.\n                                  The interim procedures further state that Ad Hoc requests2\n                                  for Tier III hardware should be transferred to the Tier III\n                                  Point of Contact to ensure completion of all certifications\n                                  and reviews. This guidance mandates the use of a\n                                  Requisition Summary to ensure that all necessary reviews\n\n\n                                  2\n                                    For Tier III, purchases of desktops and laptops are managed directly by\n                                  the Tier Owner, with limited, documented exceptions. Accordingly, in\n                                  the event an Ad Hoc request for the purchase of a desktop or laptop\n                                  arises, the Acquisition Point of Contact should contact and transfer the\n                                  request to the Tier III Point of Contact to manage the acquisition,\n                                  including all certifications and reviews.\n                                                                                                   Page 2\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         (i.e., Tier Review, Impact Assessment, Security Review) are\n                         conducted before approving IT requisitions. The\n                         Requisition Summary summarizes the status of all reviews\n                         and concurrences to give the Management Approver, with\n                         signature authority under Delegation Order Number 28,\n                         assurance that the requisition is complete and accurate.\n                         Finally, the procedures mandated that the Requisition\n                         Summary is to be included as an electronic attachment in\n                         the IRS\xe2\x80\x99 Request Tracking System (RTS). The RTS\n                         provides functions throughout the acquisition process that\n                         include creation, routing, and approval of requisitions for\n                         goods and services; electronic receipt and acceptance; and\n                         enhanced document attachment capability. All procurement\n                         requisitions using budget funds from FY 1999 and later\n                         should be entered in the RTS.\n                         Interim IRS procedures state that a Tier Review is to be\n                         performed for each IT requisition to assure it complies with\n                         the IRS\xe2\x80\x99 EA requirements. Additionally, documentation\n                         related to all reviewed and approved requisitions should be\n                         maintained in the originating office and available for\n                         comparison against the Requisition Summary under the\n                         Compliance Review process3 conducted by the Office of\n                         Technical Contract Management in the IRS Office of\n                         Procurement at the direction of the MITS organization.\n                         As indicated above, the interim version of the procedures\n                         governing the IRS\xe2\x80\x99 IT requisition process has been in effect\n                         since February 4, 2002. These procedures were scheduled\n                         for dissemination in September 2003 for enterprise-wide\n                         review and comment. In addition, the Office of Technical\n                         Contract Management made several recommendations\n                         addressing the process of IT requisitions in a prior in-house\n                         review.4 For example, the review made recommendations\n                         that included clarification of the authority of individuals\n                         within the MITS organization to approve IT requisitions.\n                         However, key personnel assigned to oversee implementation\n\n\n                         3\n                           Process established for measuring and reporting compliance of IT\n                         acquisitions with Delegation Order Number 28.\n                         4\n                           Compliance Review \xe2\x80\x93 Information Technology Requisitions\n                         (February to June 2002); review results issued September 6, 2002.\n                                                                                        Page 3\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         of the in-house review\xe2\x80\x99s recommendations left the IRS, and\n                         no one was designated to continue this effort. As explained\n                         below, our review of IT procurement requisitions indicated\n                         that Tier Reviews were not always being performed and\n                         documented to ensure compliance with the EA.\n                         Tier Reviews of IT acquisitions were not consistently\n                         reflected on the RTS as required\n                         Between February 4, 2002, and May 21, 2003, the IRS\n                         processed 651 requisitions totaling approximately\n                         $219 million for IT hardware and software items relating to\n                         Tier I, Tier II, and Tier III purchases.5 Review of the\n                         procurement request documentation on the RTS indicated\n                         that 233 requisitions (36 percent), totaling $24.1 million, of\n                         the 651 requisitions had not been subjected to the required\n                         Tier Review, as shown in Table 1.\n                         Table 1: Requisitions Reviewed on the RTS\n\n                             Requisition          Tier        Est.         No Tier        Est.\n                               Type              Review      Funds         Review        Funds\n                                                            (millions)                  (millions)\n                             Tier I & II            69         $40.7          16          $4.7\n                             Hardware\n                             Tier I & II            48         $50.0           9          $6.3\n                             Software\n                        Tier III Hardware          155         $50.1          83          $3.3\n                        Tier III Software          146         $53.9          33          $8.7\n                              Subtotals            418        $194.7          141         $23.0\n                         Tier III Ad Hoc            0          $0.0           92          $1.1\n                         Grand Totals              418        $194.7          233         $24.1\n                         Source: The IRS\xe2\x80\x99 RTS data from February 4, 2002, to May 21, 2003.\n\n                         For 141 of the 233 requisitions, no justification was\n                         provided on the RTS for not performing a Tier Review. The\n                         141 requisitions accounted for $23 million. This indicates\n                         that, in the case of all three Tiers we reviewed, personnel\n\n                         5\n                             For details on the sampling methodology, see Appendix I.\n                                                                                         Page 4\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         were not consistently following established procedures to\n                         document the required Tier Reviews because there was no\n                         clear accountability for ensuring that IRS personnel strictly\n                         adhere to the procedures.\n                         The remaining 92 of the 233 requisitions were identified on\n                         the RTS as Ad Hoc requests and accounted for\n                         $1.1 million. None of the Ad Hoc requisitions on the RTS\n                         had an indication of a Tier Review, and some of these\n                         requisitions explicitly indicated that a Tier Review was not\n                         required. However, we were unable to obtain written\n                         procedures that indicated Ad Hoc requisitions were exempt\n                         from the Tier Review process. Having a process that\n                         bypasses a Tier Review increases the risk of purchasing\n                         equipment that is not compliant with the IRS\xe2\x80\x99 EA.\n                         We also found that the Tier Owners (Tiers I, II, and III)\n                         were not consistent in preparing a Requisition Summary on\n                         the RTS. For example, Tier personnel did not always enter\n                         a Requisition Summary into the RTS. This indicates that\n                         the process of uploading the electronic copy of the\n                         Requisition Summary is not consistently followed across the\n                         Tiers.\n                         Hardcopy requisition file documentation did not always\n                         contain evidence that a Tier Review had been conducted\n                         We requested the original requisition files for a judgmental\n                         sample of 238 of the 651 requisitions so we could review\n                         the documentation supporting the required Tier Review.\n                         Since the files are located in various geographical offices,\n                         we agreed to reduce our sample, at IRS management\xe2\x80\x99s\n                         request, to 54 requisition files, consisting of 25 that the RTS\n                         indicated as having a Tier Review and 29 indicated as not\n                         having a Tier Review. As shown in Table 2, we were able\n                         to obtain the requisition files for only 47 of the\n                         54 requisitions. Of the 54 files, 42 contained no evidence\n                         that a Tier Review had been conducted, including 16 where\n                         the RTS showed a review had been conducted.\n\n\n\n\n                                                                                 Page 5\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                          Table 2: Sample of Requisition Files Reviewed\n\n                                            Requisition File Request   Results of Review for Evidence\n                               Population           Results                    of Tier Review6\n                       Category per the\n                                 RTS      Sample     File     File Not   No       Evidence Other7\n                                           Size Received Received Evidence\n\n                       No Tier       233        29        23          6         26          28       1\n                       Review\n                       Tier          418        25        24          1         16          8        1\n                       Review\n                       Totals        651        54        47          7         42         10        2\n                          Source: The IRS\xe2\x80\x99 requisition files.\n\n                          As shown in Table 2, our review of supporting requisition\n                          file documentation showed that 26 of the 29 requisition files\n                          corroborated the RTS data showing no evidence of a Tier\n                          Review. These 26 requisitions accounted for $16.1 million.\n                          Additionally, only 8 of the 25 requisition files could\n                          corroborate the RTS data of a Tier Review having been\n                          performed. For 16 of the 25 RTS requisitions reflected as\n                          having been Tier Reviewed on the RTS, no corroborating\n                          evidence was found in the requisition files that a Tier\n                          Review had been performed. These 16 requisitions\n                          accounted for $14.5 million.\n                          In the case of all three Tiers, the required reviews were not\n                          documented as performed or conducted at all because\n                          personnel were not formally designated to ensure Tier\n                          Review procedures were strictly followed. Furthermore,\n                          Tier personnel were not consistent in maintaining electronic\n\n                          6\n                            Hardcopy files were examined for evidence of a Tier Review.\n                          Requisitions for which no file documentation was provided are included\n                          in the \xe2\x80\x9cNo Evidence\xe2\x80\x9d column.\n                          7\n                            An agreement exists between the Criminal Investigation (CI) and\n                          MITS organizations that exempts the CI organization from the MITS\n                          organization standards for the purchase of investigative equipment. IRS\n                          management advised us there are similar agreements with other\n                          organizations, but no documentation was provided to support this\n                          statement.\n                          8\n                            Documentation of a Tier Review was contained in these\n                          two requisition files, although the RTS indicated that a Tier Review had\n                          not been conducted.\n                                                                                          Page 6\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         or paper requisition documentation supporting the\n                         performance of the required Tier Review. Procurement\n                         personnel indicated that contracting officers are not\n                         responsible for maintaining requisition file documentation\n                         in the official contract file, which necessitated contacting\n                         the originating office contacts listed on the RTS to obtain\n                         original requisition files. As a result, Tier representatives\n                         were required to spend excessive time during our review\n                         attempting to verify performance of Tier Reviews on the\n                         IRS\xe2\x80\x99 RTS and in locating supporting documentation.\n                         Without consistent and complete Tier Reviews to ensure\n                         development of adequate originating office requisition file\n                         documentation (electronic or hardcopy), the IRS has limited\n                         assurance that its IT purchases comply with the EA.\n                         Complete lists of approved products were not readily\n                         available for use to validate and facilitate Tier Reviews\n                         Interim IRS procedures require Tier Owners to use a Tier\n                         Review to verify that hardware and software acquisitions\n                         comply with approved products lists that are developed\n                         based on EA requirements. Approved products lists serve\n                         as reference guides for the Tier Owner or designated\n                         approver to consult before giving approval to hardware\n                         and/or software requisitions.\n                         From the RTS and the requisition file documentation\n                         provided by the IRS, we attempted to determine whether our\n                         sampled requisitions were compliant with the EA.\n                         However, we were unable to determine compliance with the\n                         EA because approved products lists for hardware and/or\n                         software purchases were either not complete or were not\n                         readily accessible by Tier representatives for use in\n                         verifying compliance of hardware and software acquisitions.\n                         For example, we noted that Tier Review and approval\n                         personnel for Tier III were unable to use approved products\n                         lists for hardware and software requisitions because the lists\n                         had not been developed or made readily available for use.\n                         Without developed and accessible approved products lists\n                         for each Tier, acquisition approvals by Tier Owners would\n                         require extensive time to determine compliance for almost\n                         every procurement requisition.\n\n\n                                                                                Page 7\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         By not consistently implementing established procedures\n                         and using prescribed tools (i.e., the Requisition Summary\n                         and approved products lists) to perform these reviews, the\n                         IRS has increased its risk of obtaining incompatible IT\n                         hardware and software that could necessitate additional\n                         purchases to provide EA compliance. Based on our work,\n                         the IRS has made over $31 million in purchases that may\n                         not be compliant and that represent a potential inefficient\n                         use of its resources (see Appendix IV).\n\n                         Recommendations\n\n                         The CIO should ensure that:\n                         1. Tier Reviews are conducted, documented, and\n                            periodically reviewed for compliance with required\n                            procedures for all non-BSM IT acquisitions across all\n                            Tiers, including Telecommunications.\n                         Management\xe2\x80\x99s Response: The Enterprise Operations\n                         organization has measures in place that will ensure all\n                         requisitions are reviewed for completeness and are in\n                         compliance with the IRS\xe2\x80\x99 EA, Delegation Order\n                         Number 28, and are Section 508 compliant. Requisitions\n                         will not be forwarded for approval until all reviews (to\n                         include Tier I and II acquisitions) are conducted.\n                         The End User Equipment and Services (EUES) organization\n                         will develop and implement a procedure ensuring that Tier\n                         Reviews for Tier III hardware and software purchases are\n                         conducted, documented, and periodically reviewed for\n                         compliance with required procedures for all non-BSM IT\n                         acquisitions. The procedure will be coordinated with the\n                         Procurement organization to ensure purchases are not made\n                         without receiving Tier III approval.\n                         The Enterprise Networks organization adheres to policy and\n                         procedures as listed in Delegation Order Number 28 and\n                         IRM 2.21. It has developed an additional set of procedures\n                         for internal use to ensure that the appropriate reviews and\n                         approvals for Tier IV acquisitions are achieved. As a\n                         standard procedure, the Enterprise Networks organization\n                         will continue to review all Tier IV requisitions for\n                         compliance prior to approval.\n                                                                               Page 8\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                         2. Complete lists of approved products are developed and\n                            made readily available for use by reviewers to facilitate\n                            Tier Reviews.\n                         Management\xe2\x80\x99s Response: The Enterprise Operations\n                         organization has issued guidelines requiring that complete\n                         products lists for Tier I and Tier II acquisitions accompany\n                         the requisition. These lists will be available during Tier I\n                         and Tier II Reviews and will become a part of the\n                         acquisition file documentation.\n                         The EUES organization has established a product list for\n                         customer review for Tier III acquisitions. Efforts are being\n                         put in place to make it readily available for customer\n                         review. The list will be made available during Tier III\n                         Reviews and will become a part of the acquisition file\n                         documentation.\n                         The Enterprise Network organization\xe2\x80\x99s procurements are\n                         mostly governed by centralized contracts that have specific\n                         products and services approved for compliance with the EA.\n                         Management officials and reviewers of Tier IV\n                         procurements approve only those products and services that\n                         are compliant through the specific contract.\n\n\n\n\n                                                                                Page 9\n\x0c         Reviews to Determine Architectural Compliance of Information Technology\n             Acquisitions Need to Be Consistently Performed and Documented\n\n                                                                                                    Appendix I\n\n\n                          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the compliance of hardware and software\nprocurements for non-Business Systems Modernization (non-BSM) systems with the Enterprise\nArchitecture (EA).1 To accomplish this objective, we:\nI.      Evaluated the acquisition review process to determine whether hardware and software\n        procurements were properly evaluated and approved prior to being awarded.\n        A.       Evaluated the purchasing process for non-BSM systems.\n        B.       Evaluated the Tier Review processes2 to ensure acquisitions (hardware and/or\n                 software) requirements were properly reviewed prior to being awarded.\nII.     Reviewed hardware and software procurements for non-BSM Tier I (e.g., mainframe),\n        Tier II (e.g., mid-range), and Tier III (e.g., end-user computers) systems to determine\n        whether they complied with the EA.\n        A.       Reviewed Information Technology Asset Management System (ITAMS)\n                 information to identify the information technology (IT) inventory of hardware\n                 and/or software.\n                 We obtained a data extract of the ITAMS database covering the period\n                 February 4, 2002, to May 25, 2003, and determined the data could not be used in\n                 correlating requisition numbers in the ITAMS to those in the Request Tracking\n                 System (RTS).3 The RTS data were used to identify the IT inventory.\n        B.       Identified non-BSM procurements in the RTS.\n        C.       Analyzed data obtained through the ITAMS (step II.A. above) and the\n                 requisitions identified through the RTS (step II.B. above) for testing EA\n                 compliance.\n\n\n\n\n1\n  The EA defines the Internal Revenue Service\xe2\x80\x99s (IRS) target business practices, the systems that enable the target\nbusiness practices, and the technology that will support it, and serves as a guide to the IRS\xe2\x80\x99 Modernization Program\nand investment decisions.\n2\n  Process that ensures information technology (IT) acquisition requests comply with the IRS\xe2\x80\x99 EA, which may consist\nof an architectural or standards review for the given IT acquisition.\n3\n  The RTS provides functions throughout the acquisition process that include creation, routing, and approval of\nrequisitions for goods and services; electronic receipt and acceptance; and enhanced document attachment\ncapability. All procurement requisitions using Fiscal Year 1999 budget funds and later should be entered in the\nRTS.\n                                                                                                           Page 10\n\x0c         Reviews to Determine Architectural Compliance of Information Technology\n             Acquisitions Need to Be Consistently Performed and Documented\n\n                 We selected all RTS requisitions from February 4, 2002,4 to May 21, 2003, using\n                 the procurement accounting sub-object codes (SOC) of 3151, 3164, 3165, and\n                 3152. These SOCs represent Capitalized Software (Tiers I and II), Capitalized\n                 Automated Data Processing (ADP) Equipment (Tiers I and II), Capitalized ADP\n                 Equipment (Tier III), and Non-Capitalized Software (Tier III), respectively, with\n                 status codes of 90 (partial receipt) and 91 (complete receipt). This represented\n                 651 requisitions as our population from the RTS. We evaluated all\n                 651 requisitions and divided these into 2 populations representing requisitions that\n                 were Tier Reviewed and requisitions that were not Tier Reviewed.\n                 Due to difficulties the IRS had in locating hardcopy procurement requisition files,\n                 RTS data validation of Tier Reviews was limited to items in our judgmental\n                 sample.5 Data validation of Tier Reviews relied upon hardcopy procurement\n                 requisition files for corroborative evidence. We limited our judgmental sample\n                 to 54 requisitions per IRS management\xe2\x80\x99s request (25 Tier Reviewed and 29 not\n                 Tier Reviewed). The 54 requisitions were selected from the RTS data extract\n                 covering the period February 4, 2002, to May 21, 2003 (see below for selection\n                 methodology of the 54 items).\n                 Selection of Judgmental Sample\n                 From the 651 requisitions, 3 populations were defined and represented: Tier\n                 Reviewed (418 requisitions), Not Tier Reviewed (141 requisitions), and\n                 Ad Hoc6 (92 requisitions).\n                 Tier Reviewed: Of 418 requisitions that were shown on the RTS to be Tier\n                 Reviewed, 25 were sampled. We selected a judgmental sample of requisitions\n                 above the following dollar thresholds for each of the SOC categories as follows:\n                 SOC 3151          $500,000.\n                 SOC 3152          $75,000.\n                 SOC 3164          $250,000.\n                 SOC 3165          $100,000.\n                 This selection resulted in a sample of 96 requisitions. The IRS stated this\n                 documentation request was too large, and due to the IRS\xe2\x80\x99 difficulties noted above,\n\n\n4\n  The IRS\xe2\x80\x99 Delegation Order Number 28 and Interim Internal Revenue Manual 2.21 became effective\nFebruary 4, 2002, and mandated that Tier Reviews be performed.\n5\n  A judgmental sample was used due to difficulties the IRS had in locating requisition files.\n6\n  For Tier III, purchases of desktops and laptops are managed directly by the Tier Owner, with limited, documented\nexceptions. Accordingly, in the event an Ad Hoc request for the purchase of a desktop or laptop arises, the\nAcquisition Point of Contact should contact and transfer the request to the Tier III Point of Contact to manage the\nacquisition, including all certifications and reviews.\n                                                                                                           Page 11\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n     we further limited our sample size. From the listing of 96, we selected a\n     judgmental sample by selecting the 1st requisition and every 4th requisition\n     thereafter. This resulted in a selection of, and request for, 25 requisitions.\n     Not Tier Reviewed: There were 233 total requisitions in this population. We\n     removed the 92 Ad Hoc requisitions due to the assertion made that they were\n     exempt from the Tier Review process. This made our total population of\n     exceptions for this test 141 requisitions. From this 141, we selected a judgmental\n     sample by selecting the 1st requisition and every 5th requisition thereafter. This\n     resulted in a selection of, and request for, 29 requisitions.\n\n\n\n\n                                                                                      Page 12\n\x0c       Reviews to Determine Architectural Compliance of Information Technology\n           Acquisitions Need to Be Consistently Performed and Documented\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary V. Hinkle, Director\nTheodore Grolimund, Audit Manager\nMark Carder, Senior Auditor\nMyron Gulley, Senior Auditor\nSteven Gibson, Auditor\nLinda Screws, Auditor\n\n\n\n\n                                                                                         Page 13\n\x0c       Reviews to Determine Architectural Compliance of Information Technology\n           Acquisitions Need to Be Consistently Performed and Documented\n\n                                                                              Appendix III\n\n\n                               Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief Information Officer OS:CIO\nChief, Information Technology Services OS:CIO:I\nDirector, Procurement OS:A:P\nActing Director, End User Equipment and Services OS:CIO:I:EU\nDirector, Enterprise Operations OS:CIO:I:EO\nDirector, Infrastructure, Architecture, and Engineering OS:CIO:I:IA\nDirector, Portfolio Management OS:CIO:R:PM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n        Chief, Information Technology Services OS:CIO:I\n        Director, Procurement OS:A:P\n        Acting Director, End User Equipment and Services OS:CIO:I:EU\n        Director, Enterprise Operations OS:CIO:I:EO\n        Director, Infrastructure, Architecture, and Engineering OS:CIO:I:IA\n        Manager, Program Oversight and Coordination Office OS:CIO:R:PM:PO\n\n\n\n\n                                                                                   Page 14\n\x0c         Reviews to Determine Architectural Compliance of Information Technology\n             Acquisitions Need to Be Consistently Performed and Documented\n\n                                                                                                   Appendix IV\n\n\n                                            Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to the Congress.\nType and Value of Outcome Measure:\n    \xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Potential; $16,121,659 (see page 2).\nMethodology Used to Measure the Reported Benefit:\nIn our examination of requisitions using the Request Tracking System (RTS),1 we identified\n141 requisitions that had no indication that a Tier Review2 had occurred. Without Tier Reviews,\nthe Internal Revenue Service (IRS) has no assurance that its purchases are in compliance with\nthe Enterprise Architecture (EA).3\nWe selected a judgmental sample of 29 requisitions from the 141 to examine the hardcopy\nrequisition files to identify evidence that a Tier Review had occurred. Our review of supporting\nrequisition file documentation showed there was no evidence of Tier Review for 26 of these\n29 requisitions. These 26 requisitions accounted for $16,121,659.\nType and Value of Outcome Measure:\n    \xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Potential; $1,107,912 (see page 2).\nMethodology Used to Measure the Reported Benefit:\nIn our examination of requisitions using the RTS, we identified 92 Tier III Ad Hoc requisitions4\nthat had no indication that a Tier Review had occurred. These requisitions accounted for\n$1,107,912. Without Tier Reviews, the IRS has no assurance that its Tier III Ad Hoc\nrequisitions comply with the EA.\n\n1\n  The RTS provides functions throughout the acquisition process that include creation, routing, and approval of\nrequisitions for goods and services; electronic receipt and acceptance; and enhanced document attachment\ncapability. All procurement requisitions using budget funds from Fiscal Year 1999 and later should be entered in\nthe RTS.\n2\n  A Tier Review is to be performed for each information technology requisition to assure it complies with the IRS\xe2\x80\x99\nEnterprise Architecture requirements.\n3\n  The EA defines the IRS\xe2\x80\x99 target business practices, the systems that enable the target business practices, and the\ntechnology that will support it, and serves as a guide to the IRS\xe2\x80\x99 Modernization Program and investment decisions.\n4\n  For Tier III, purchases of desktops and laptops are managed directly by the Tier Owner, with limited, documented\nexceptions. Accordingly, in the event an Ad Hoc request for the purchase of a desktop or laptop arises, the\nAcquisition Point of Contact should contact and transfer the request to the Tier III Point of Contact to manage the\nacquisition, including all certifications and reviews.\n                                                                                                           Page 15\n\x0c        Reviews to Determine Architectural Compliance of Information Technology\n            Acquisitions Need to Be Consistently Performed and Documented\n\nType and Value of Outcome Measure:\n   \xe2\x80\xa2   Inefficient Use of Resources \xe2\x80\x93 Potential; $14,455,395 (see page 2).\nMethodology Used to Measure the Reported Benefit:\nWe selected a judgmental sample of 25 requisitions from the 418 requisitions we found to have\nan indication of a Tier Review on the RTS. For 16 of the 25 requisitions, there was no\nsupporting documentation of a Tier Review. Without Tier Reviews, the IRS has no assurance\nthat its information technology purchases are in compliance with the EA. These 16 requisitions\naccounted for $14,455,395.\n\n\n\n\n                                                                                        Page 16\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n                                                               Attachment V\n\n\n            Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                                      Page 17\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 18\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 19\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 20\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 21\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 22\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 23\n\x0cReviews to Determine Architectural Compliance of Information Technology\n    Acquisitions Need to Be Consistently Performed and Documented\n\n\n\n\n                                                                      Page 24\n\x0c'